Kansas Statutes § 50-7a01 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Security breach” means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or a commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used for or is not subject to further unauthorized disclosure.
When is notice required?
Notice is required for all affected Kansas residents when an initial investigation determines that fraud is likely to occur. The party must give notice "in the most expedient time possible and without unreasonable delay, consistent with legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." If over 1,000 residents are affected at one time then consumer reporting agencies must be notified as well. There are no stipulations on the content of the notice.
What are the penalties for non-compliance?
Violations have their own sections of the law, § 50-7a02(g)-(h), which read as follows:
(g) For violations of this section, except as to insurance companies licensed to do business in this state, the attorney general is empowered to bring an action in law or equity to address violations of this section and for other relief that may be appropriate. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.
(h) For violations of this section by an insurance company licensed to do business in this state, the insurance commissioner shall have the sole authority to enforce the provisions of this section.
§ 50-7A03 also provides a standard for data destruction for entities that are not covered by other regulations:
"Unless otherwise required by federal law or regulation, a person or business shall take reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information which is no longer to be retained by the person or business by shredding, erasing or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means."